There are some rather unique names for cyberattacks out there, but one that is a true embodiment of its name is a man-in-the-middle (MitM) attack. While these attacks are not new, they continue to grow in sophistication as attackers increasingly look for ways to bypass defenses against credential and authorization methods such as multifactor authentication.
In this post, we will dive into how man in the middle attacks unfold, the most common attack techniques used, and key strategies for increasing your defenses against them.
What is a man in the middle attack?
A man-in-the-middle attack or also known as an adversary-in-the-middle attack (AitM), is a cybersecurity attack technique whereby a malicious actor intercepts and possibly alters the communication between two parties, typically a client and a server, without their knowledge.
The attacker positions themselves between the parties, allowing them to capture the traffic, modify or inject malicious content, and then forward the traffic to its destination. Attackers perform the latter to avoid targets’ awareness of the attacker’s presence.
The most common attack techniques
A threat actor can use many different techniques to perform a man-in-the-middle attack. Some standard techniques include, but are not limited to:
- Rogue access point: Attackers introduce a fake (rogue) access point into an existing wireless network or lures targets into connecting to a mostly open wireless network. Once the victim connects, the attacker can capture and inspect the traffic for information.
- Session hijacking: This often happens through phishing when an attacker lures the victim into logging into an application or website like a banking website or Microsoft 365. Once the user logs in, the attackers capture and steal the user’s session cookie or authentication tokens, which then are used to log in to the same application or website as the user.
- SSL stripping: The attacker downgrades a secure HTTPS connection to an unencrypted HTTP connection, making it easier to intercept and modify data.
- DNS spoofing: This refers to manipulating the Domain Name System (DNS) to redirect a user to a malicious website instead of the intended destination.
- IP spoofing: Attackers divert traffic from an actual application or website to their server. Instead of spoofing the DNS record, and thus redirecting traffic to a different IP address, they re-use the original IP address of the target server to direct traffic to their malicious server instead.
- ARP cache poisoning: Address Resolution Protocol (ARP) is used for discovering physical addresses of devices on a network (e.g., MAC address). In turn, this address is associated with the IP address of a computer, like a server. In an ARP poisoning attack, the victim’s computer is fed with false information, allowing the attacker to redirect the victim’s traffic to their server.
- WPAD attack: Web proxy auto-discover (WPAD) is a feature that allows clients to discover proxy servers on the network automatically. To do so, the client leverages DHCP or DNS to find the proxy server(s) to which it should send traffic. By performing either a DNS or DHCP spoofing attack, malicious actors can send wrong information to the client, tricking them into connecting to a malicious proxy server instead.
Although the principle of these types of attacks is not new, they have gained popularity over the past few years. Between 2022 and 2023, The Collective’s security operations center has seen a significant (300%) increase in session hijacking attacks, driven mainly by the fact that this technique is used to capture (steal) authentication tokens that allow the malicious actor to bypass additional security controls like multifactor authentication.
Example of a man-in -the-middle attack
Each man-in-the-middle attack follows a similar pattern. The specifics are different, depending on the attack technique.
An attacker must be able to capture the victim’s traffic to be successful. To do so, they must either lure the victim to connect to the attacker’s server and infrastructure, or their genuine communication must be somehow unknowingly redirected. To explain an attack in more detail, we shall use a typical session hijacking attack as an example.
Consider the following scenario: Jane is the victim. Attackers are targeting Jane because she is Company Z’s Microsoft 365 global administrator.
A common way to lure people into connecting to the attacker’s infrastructure is to send them a phishing e-mail containing links to it – typically a proxy server running malicious software, like EvilGinx. The success rate depends greatly on the user’s skill to detect such a phishing attack. Given the high success rate of phishing attacks, it is still the number one method chosen by attackers.
Jane opens the e-mail and fails to detect it is a phishing message. After all, the link in the e-mail redirects Jane to login.microsoftonIine.com, which initially seems legitimate. However, depending on your font, you will notice that the L (‘onLine’) is a capital ‘I’ instead.
Once Jane connects to the malicious website, she is presented with an exact copy of the Microsoft 365 login page. Except for the misspelled URL, there are no visual clues for Jane to detect that her computer is not connecting directly to Microsoft 365 but is communicating to the attacker’s infrastructure.
Jane decides to enter her username and password, prompting her to perform multifactor authentication. Although the information she provides is forwarded to the legitimation Entra ID system, the attacker was already able to capture the username and password as it was forwarded to Microsoft Entra ID.
Upon completing the MFA challenge, Entra ID sends back an Authentication and Refresh Token. Given that the information is proxied to the attacker’s infrastructure, the attacker receives it, stores it, and forwards it to the victim.
At this point, the attacker could capture the username, password, and any authentication artifacts, including the session/authentication cookies. With just the username and password, the attacker could do very little, especially considering that Jane must perform multifactor authentication to log on to Microsoft 365.
However, the session or authentication cookies also store the proof of completing multifactor authentication. So, by re-using those, the attacker can mimic Jane and provide evidence that multifactor authentication was completed, effectively bypassing the requirement to perform multifactor authentication. Scary, right?
Strategies for protecting from and detecting man-in-the-middle attacks
How you can protect from or detect man-in-the-middle attacks greatly depends on how and where the attack was performed and what technique was used. It also depends on the application or target server and what features and capabilities these provide to detect ongoing or successful attacks.
In general, there are a few things you should consider:
- Phishing. As phishing is still the most popular way to start a man-in-the-middle attack, reducing the amount of phishing, or the likelihood that a user clicks a malicious URL, is still the most effective. To try and reduce phishing, amp up your anti-phishing protective measures and continuously invest in user awareness. Just keep in mind that users will continue to click links they shouldn’t and that some phishing messages will always slip through your defenses.
- Connections to strange URLs. Monitor connections to websites that may resemble legitimate URLs but are slightly different, like in the example above. Be cautious of new URLs and check for mismatches between a URL and the expected IP address of the destination. The latter is rather complex, considering that many cloud applications use various IP address ranges that change from time to time.
- Avoid the use of unknown or untrusted Wi-Fi networks. By preventing the use thereof or instructing users not to establish a connection to networks they don’t know, you can reduce the likelihood of establishing a link to a rogue or malicious network through which an attacker can more easily perform specific attacks.
- Look for suspicious activity in applications. In a successful man-in-the-middle attack, malicious actors will connect to the target application to perform a variety of activities to either perform additional reconnaissance, exfiltrate data or – if they have obtained administrator privileges – modify parameters in the system. All these activities create opportunities to detect unusual activities, hinting towards a potentially successful attack. Newer monitoring and SIEM solutions include User and Entity Behavior Analytics (UEBA) to reason over large amounts of data and look for anomalies using machine learning models.
- Protect sensitive applications. Leverage the highest possible form of authentication: phishing-resistant MFA. Although this does not prevent all types of man-in-the-middle attacks, it can help avoid the theft of authentication material from systems that support it.
- Enforce network restrictions. Depending on the application, you may be able to enforce connections from a specific network. In some cases, attackers are not present in the network, so it may effectively prevent them from connecting to the target application(s), even if they have captured authentication artifacts like a username and password or authentication cookies. Whether or not this method works largely depends on the target application.
- Encrypt DNS traffic. By moving away from traditional UDP-based DNS resolution to, for example, DNS-over-HTTPS; you make it considerably more difficult for attackers to perform a successful DNS spoofing attack, considering the DNS traffic is now encrypted.
Man-in-the-middle attacks pose a significant threat to data confidentiality, integrity and privacy. To mitigate these attacks, users and organizations should be extra vigilant when connecting to URLs and should encrypt data and communication streams as much as possible. Of course, maintaining a high level of security hygiene, such as ensuring systems are up-to-date and devices have a solid security baseline, remains a must.